A campaign is underway to clean up as many as 300,000 computers infected with DNSChanger viruses that divert victims' traffic to sites that can further exploit the machines and their owners, but it's not clear that goal can be accomplished without drastic measures.
If a machine is infected with DNSChanger, that infection is often accompanied by a rootkit that is very difficult to remove, says Jose Nazario, senior manager of security research at Arbor Networks.
"The safest thing is to nuke the box and reinstall," Nazario says, meaning that the hard drive should be wiped and the operating system and applications reloaded. "Remediation is one of the toughest challenges we face."
But there are also removal tools that can remove the rootkit without having to reformat, says Barry Greene, the former director of Internet Systems Consortium, a volunteer group that has been working on the problem. "A paranoid security person is going to tell you [reformatting] is what you've got to do," Greene says.
DNSChanger has attracted attention since November 8, 2011, when a major botnet distributing the viruses under the corporate name Rove Digital was taken down by the FBI, NASA Office of the Inspector General and Estonian police. The takedown involved seizing servers in New York, Chicago and Estonia.
It also resulted in the arrest of six men who have face charges in the US related to the botnet.
Subsequent to the takedown, special DNS servers managed by Internet Systems Consortium have been put in place to properly handle DNS requests from infected machines. Without these servers, those machines would not be able to connect to sites on the internet.
The court order allowing these servers to adopt the IP addresses of the ones used by Rove Digital expires July 9, when they will be taken offline. A that point, machines infected with DNSChanger won't be able to reach DNS servers and so won't be able to reach websites.
The public relations push started this week by members of the DNSChanger Working Group urges computer users to check their machines for infection and remediate the problem before July 9. The group has set up a website where users can find out if their machines are infected, remove the viruses and protect the machines from future infection.
The process sounds simple, but it's unclear how effective the dcwg.org-recommended diagnostics are.
The group's website refers visitors to www.dns-ok.us where a check is run on the machine that is connecting. But the results aren't conclusive.
After running the check, the site pops up this notice: "Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected. For additional information regarding the DNS changer malware, please visit the FBI's website at: http://www.fbi.gov/news/stories/2011/november/malware_110911"
The FBI site doesn't offer any more information about detecting whether machines are infected, but does refer back to www.dcwg.org.
Greene says that the check for infection requires no software download to the machine being tested. Instead, the machine sends a DNS query to a site set up by the testers who look at the DNS record on the query to see whether it came from one of the special Internet Systems Consortium servers. If so, that's an indication computer is infected.
If a victim's ISP has set up its own DNS servers to handle requests from infected machines, the test site will consider that a legitimate DNS source and conclude that the machine is not infected.
The DNSChanger Working Group is compiling a list of ISPs that have set up their own DNS servers to intercept queries from infected machines so their customers can find out from the ISPs whether their machines are infected, Greene says.
He also says that many such ISPs have already mailed letters to their customers whose machines they suspect of being infected. Sending such notifications by email would be easily mistaken for phishing.
The PR push to get the remaining infected computers cleaned up created some unexpected problems for DNSChanger Working Group's website. Traffic jumped from hundreds of hits per day to millions, with 5,000 concurrent connections. The site crashed one day, but it has been beefed up in the meantime, Greene says.